Advocate Data Breach: The $1 Billion Lawsuit?

As covered in our blog last week, Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.

What Happened When Advocate Neglected Encryption Mandates

However, what made the event particularly noteworthy was that Advocate had gone down this road before with a 2009 data breach with a mostly mirrored fact pattern. Despite previous mandates from OCR/HHS to encrypt all portable devices, Advocate neglected to do so. The result? A class action lawsuit that likely will break all data breach records.

My colleague (and self-professed Game of Thrones lover) summed it up the best, “brace yourself: a staggering settlement is coming.” The lawsuit filed last week neglected to disclose some damages that the class is willing to seek, but if we look at some recent data breach class actions, we can very quickly see that an astronomical figure is possible here. For instance, in a lawsuit stemming from a 2009 action involving Stanford Hospital & Clinics, a class representative alleged $20 million in damages for 20,000 exposed patient files. This $1,000/per patient figure is not out of left field – lawsuits across the country in these sorts of actions frequently demand damages in the high three figures range per patient.

$1 Billion Settlement for a Healthcare Data Breach

So, yes, the Advocate data breach could easily break the $1 billion mark via settlement, a number that would reach tobacco company settlement range. This event exemplifies that unfathomable risk that covered entities face in the digital health age. Unfortunately, few providers realize these dangers until it’s too late. As we’ve argued in this column many times, the best risk management strategy starts with a risk assessment. Discover where your patients’ PHI is going, and make sure you’re doing everything in your power to minimize the biggest risks. If you do this, you’re one significant step ahead of the average provider and a few steps farther away from being the next facility to let millions of records of PHI walk out your front door.